Copyright 2015 Splunk Inc. Splunk Cloud as a SIEM for Cybersecurity CollaboraFon Timothy Lee CISO, City of Los Angeles
Disclaimer During the course of this presentafon, we may make forward looking statements regarding future events or the expected performance of the company. We caufon you that such statements reflect our current expectafons and esfmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in the this presentafon are being made as of the Fme and date of its live presentafon. If reviewed aqer its live presentafon, this presentafon may not contain current or accurate informafon. We do not assume any obligafon to update any forward looking statements we may make. In addifon, any informafon about our roadmap outlines our general product direcfon and is subject to change at any Fme without nofce. It is for informafonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligafon either to develop the features or funcfonality described or to include any such feature or funcfonality in a future release. 2
City of Los Angeles! 4 million people, 465 sq mi, 15- Council District! 2 nd largest city in the US! 1.8 million employed! 42.2 million annual visitors! 42 departments with 35,000 FTE! Port of LA, Airport, Water and Power 3 proprietary departments all managing their own networks! InformaFon Technology Agency (ITA) manages the rest
Our Challenge! IT Security Team is understaffed! Dispersed log capturing capabilifes! Minimal use of collaborafon tools! Lack of Incident Management pla]orm! No integrated threat intelligence program! Limited situafonal awareness and operafonal metrics for City as a whole! Imbalance in response capability! Growing cyber threats including DDoS & Malware
Mayor s ExecuFve DirecFve on Cybersecurity! Facilitate the idenfficafon and invesfgafon of cyber threats and intrusions against City assets! Ensure incidents are quickly, properly, and thoroughly invesfgated by the appropriate law enforcement agency! Facilitate disseminafon of cybersecurity alerts and informafon! Provide uniform governance structure accountable to City leadership! Coordinate incident response and remediafon across the City! Serve as an advisory body to City departments! Sponsor independent security assessments to reduce security risks! Ensure awareness of best pracfces 5
Our SoluFon Integrated Security OperaFons Center Leveraging Splunk Cloud and Splunk Enterprise Security 6
Integrated Security OperaFons Center City of Los Angeles Integrated Security Operations Center Situational Awareness Threat Intelligence REPORT COLLECT City of LA Integrated SOC PROMOTE COLLABORATE Information Security ITA LAWA DWP POLA Physical Security LAPD LAXPD LAPP DWP FBI Threat Info Services DHS/USSS MS-ISAC Internal 7 External
Integrated Security OperaFons Center 8
How Did We Sell It Internally?! Prepare to answer why you need SIEM and why cloud- based ê Security Audit Report (RecommendaFon and AcFon Plan) ê Compliance Gap Assessment Report ê Security metrics (numbers of intrusion afempts, incidents, outages caused by incidents, top afackers, threat acfvity and trends etc.) ê Present it from the business risk perspecfve! Engage others outside of IT to also help sell it! Provide potenfal risks of not implemenfng SIEM! Share real- world examples of cyber incidents and costs that your audience can relate to! Provide source of funding for implementafon and operafons! Align results to organizafonal goals 9
Example: ExecuFve Dashboards 10
Use Case Example: Top Afackers 11
Use Case Example: Top DesFnaFon By Specific Afacker 12
Use Case Example: Malware Monitoring 13
Lessons Learned! Conduct SOC readiness assessment before anything else! Prepare to answer why you need CSOC! Look for grant opportunifes! Pick the right tools and technology! Be mindful of operafng costs! Pick the right contractor! Pick the right team. Invest in people.! Cybersecurity collaborafon and informafon sharing are essenfal 14
Resources! Security OperaFon Center Concepts & ImplementaFon Renaud Bidou! How to Deploy SIEM Technology Gartner March 02, 2015! Using SIEM for Targeted Afack DetecFon Gartner March 12, 2014! Top 6 SIEM Use Cases InfosecinsFtute.com May 15, 2014 15
Q&A
THANK YOU